Why are sensitivity labels important?

27 April 2022

The Office 365 sensitivity labels feature was rolled out to all UQ staff in late 2021. Sensitivity labels use information security classifications to categorise and encrypt documents and communication (for those labelled as SENSITIVE or PROTECTED) in Microsoft Office 365 documents. This is part of the University’s continued commitment to improving information security the safety of staff and students.  

The scenarios outlined below showcase why sensitivity labels are so important, and how they can prevent the loss, breach or unauthorised modification of UQ’s data.  

Prevent breaches 

In a complex organisation like UQ, it’s easy to accidentally grant access to confidential information (e.g. emailing the incorrect staff member). This could compromise the creator of the file, as well as its contents. If a document contains SENSITIVE or PROTECTED information, setting the right sensitivity label ensures that the file is encrypted, and allows the document owner to set and manage individual or group access to the document. This means you can control access and ensure it doesn’t fall into the wrong hands. 

For example, you may provide a document containing personal information (e.g. tax file numbers, passport details) to a School Manager for processing. This document has been labelled as SENSITIVE, with access set to the School Manager only. The Manager wishes to delegate the task to an Administrative Officer; however, because the Administrative Officer has not been given access, they are unable to open the document, and need to seek your approval to gain access. This allows you to maintain the security and integrity of both the contents and stakeholders to prevent potentially harmful breaches. 

Note: The document creator controls permissions for SENSITIVE and PROTECTED documents. They can select whether someone (or an exchange distribution list) has complete, edit or read-only access. Those provided with complete access will have the equivalent control as the document creator and can set further permissions. 

Secure sharing 

When documents and emails leave the UQ network they are more vulnerable to security compromises, as external organisations and individuals may have different security protocols which might not meet UQ’s standards.  

When sending communications labelled as SENSITIVE or PROTECTED outside of the University, the recipient is prompted to log into a secure gateway (this doesn’t apply if the receiver is also using Office 365, which ensures encryption). This ensures that security standards are maintained, even once communication leave the University. An example of the secure gateway message is provided below. 

For example, a researcher may email research data to a colleague from another university who they have partnered with. Due to the data being unpublished and possibly carrying future commercial significance, it is labelled as PROTECTED, and is encrypted as a result. When their colleague receives the email, this encryption maintains the security and integrity of the data.  

Where possible, avoid sending SENSITIVE and PROTECTED data via email, and instead use applicable storage and sharing interfaces like UQ RDM. If the data must be sent via email, sensitivity labels help protect the researchers and their work, as well as any potential participants in the study.